Kimsuky's Ongoing Evolution of KimJongRAT and Expanding Threats
2025-11-21 • ENKI •
ENKI attributes an active KimJongRAT-related campaign to Kimsuky, with phishing emails impersonating South Korean public institutions such as the Ministry of Gender Equality and Family and the National Tax Service. The infection chain uses PHPMailer-delivered messages, attacker redirects, GitHub Releases ZIP archives, decoy PDFs, malicious LNK files, mshta, Korean URL shorteners, macro-enabled DOC files, obfuscated VBScript, HTA payloads, and Google Drive-hosted follow-on files. Later stages branch on Windows Defender service state, decrypt AES- or RC4-protected payloads, run sys.dll through rundll32, perform anti-VM checks, and download modules including a Chrome App-Bound Encryption master-key extractor and a KimJongRAT-derived infostealer. The infrastructure and artifacts show Kimsuky adapting social-engineering lures, commodity hosting, layered obfuscation, and browser credential-theft capability against South Korean targets.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | buly.kr | 2025-08-10 | 2026-04-07 |
| DOMAIN | link24.kr | 2025-11-21 | 2026-01-14 |
| DOMAIN | kzloly.nmailhub.com | 2025-11-21 | 2026-01-14 |
| DOMAIN | quemr.mailhubsec.com | 2025-11-21 | 2026-01-14 |
| HASH | 677e77265c7ba52e825fc62023942213 | 2025-09-18 | 2026-01-14 |
| HASH | 5441d8a79411a261546beb1021cb5052 | 2025-09-18 | 2026-01-14 |
| HASH | 172dc997ca6022ec8dff0842e4c7b887 | 2025-09-18 | 2026-01-14 |
| IPv4 | 142.11.248.98 | 2025-09-18 | 2026-01-14 |
| HASH | 76d2cbad8502dce9e70e501c2378d3ff | 2025-11-21 | 2025-11-21 |
| HASH | 2e8bf657d0301fb4c61e29f455d9058e | 2025-11-21 | 2025-11-21 |
| HASH | d69fbf23e7492618cadc63d171010cd8 | 2025-11-21 | 2025-11-21 |
| HASH | 77f131bc8f660f85812c0d2e0da8e77e | 2025-11-21 | 2025-11-21 |
| HASH | d9ecf148c88bfd9791758b3be1a9f459 | 2025-11-21 | 2025-11-21 |
| HASH | 003ea91e9f52ecfdc3aadb2732e9b54c | 2025-11-21 | 2025-11-21 |
| HASH | c69909ea3c131181fa7ae12155bcae17 | 2025-11-21 | 2025-11-21 |
| HASH | e3a937869322cc4cd765fcbf16d5b9ea | 2025-11-21 | 2025-11-21 |
| HASH | c0ee9a9046d82b294b3bf3bec997fc45 | 2025-11-21 | 2025-11-21 |
| HASH | 66c4e2dd235c4d8d31abaf96e051585e | 2025-11-21 | 2025-11-21 |
| HASH | 8b6580e14b8164e28e684d48691ddf4d | 2025-11-21 | 2025-11-21 |
| HASH | 7d098f0f41601216ffd2e7f06da56c7… | 2025-11-21 | 2025-11-21 |
| HASH | f000df00a424cefcd8efff48ab167169 | 2025-11-21 | 2025-11-21 |
| [email protected] | 2025-11-21 | 2025-11-21 | |
| URL | https://drive.google.com/uc?exp… | 2025-11-21 | 2025-11-21 |
| URL | https://drive.google.com/uc?exp… | 2025-11-21 | 2025-11-21 |
| URL | https://link24.kr/HSXrWzV | 2025-11-21 | 2025-11-21 |
| URL | https://drive.google.com/uc?exp… | 2025-11-21 | 2025-11-21 |
| URL | https://drive.google.com/ucexpo… | 2025-11-21 | 2025-11-21 |
| URL | https://drive.google.com/uc?exp… | 2025-11-21 | 2025-11-21 |
| URL | https://drive.google.com/uc?exp… | 2025-11-21 | 2025-11-21 |
| URL | https://drive.google.com/uc?exp… | 2025-11-21 | 2025-11-21 |
| URL | https://drive.google.com/uc?exp… | 2025-11-21 | 2025-11-21 |
| URL | https://drive.google.com/uc?exp… | 2025-11-21 | 2025-11-21 |
| URL | https://buly.kr/EooX5dX | 2025-11-21 | 2025-11-21 |
| DOMAIN | natezlx.myvnc.com | 2025-11-21 | 2025-11-21 |
| DOMAIN | nid-naverbpk.onthewifi.com | 2025-11-21 | 2025-11-21 |
| DOMAIN | daumcyd.ddns.net | 2025-11-21 | 2025-11-21 |
| IPv4 | 27.102.113.20 | 2025-11-21 | 2025-11-21 |
| IPv4 | 103.249.28.34 | 2025-11-21 | 2025-11-21 |
| IPv4 | 27.102.113.170 | 2025-11-21 | 2025-11-21 |
| IPv4 | 183.111.226.13 | 2025-11-21 | 2025-11-21 |
| IPv4 | 27.102.113.209 | 2025-11-21 | 2025-11-21 |
| IPv4 | 27.102.113.107 | 2025-11-21 | 2025-11-21 |
| IPv4 | 160.202.160.248 | 2025-11-21 | 2025-11-21 |
| IPv4 | 61.97.243.9 | 2025-11-21 | 2025-11-21 |